Cross-site scripting is a security exploit in which an attacker inserts malicious script into a link produced by a trust web server. A browser executes the injected code as if it were provided by the server. Since the security restrictions of a browser are based on the origin of the web page, the malicious script is executed by the browser under the same permission as the domain of the web application, thereby by-passing the security restrictions.
For example, consider a web site that, after a user logs in, redirects the user to a welcome page that returns content based on information passed in the URL (e.g., www.1a2b.com/default.asp?name=username) that when rendered at the client, greets the user by a username that was provided. However, if the malicious script instead of a username is provided, vulnerable servers will pass back the malicious script, and when the welcome page is rendered, the malicious script is executed on the client side. Thus, if an attacker tricks the user into clicking on a link to that site with the malicious script sent to the server instead of the username (e.g., www.1a2b.com/default.asp?name=script=<script>evilScript( )/script>), the web site passes back the code embedded in its content, as if it were the username.
When the browser interprets this part of the content as script, the browser automatically runs the script, which is normal browser behavior. However, because the script came from the web site, the script is able to instruct the browser to perform operations in that site's domain, including sending the user site's cookies to another computer. In this manner, cross-site scripting is used to steal a user's sensitive data.
Sanitization is a process that attempts to prevent cross-site scripting by validating the external input. Typically, a sanitizer checks an external input for values that are defined in accordance with an input specification. External inputs that are deemed untrusted are transformed into a representation that is no longer dangerous. For example, the input sanitizer may try to remove all JavaScript code from the input.
In some situations, the sanitizers are placed in a web application manually by one or more programmers. In this situation, the choice of a sanitizer relies on the expertise of the web developer who may have limited security skills. In another situation, the sanitizers can be automatically added into a web application through special primitives that encode HTML output in a safe way. However, this technique requires modifying the web application to include the special primitives and modifying a web browser to recognize the special primitives. For legacy web applications that are already deployed in existing systems or products, these modifications may not be feasible or may be too costly to implement.